Firewall Wizards mailing list archives
RE: Odd scan to port 36867
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 16 Nov 2004 10:29:01 +0100
Could be malware activity, or someone scanning for backdoors / botnets. None of the current big name malware uses that port by default AFAIK, but I guess there could be variants. Personally, I'd be interested in seeing more of the logs - there might be patterns in the source port, IPID etc which often indicate that it's malware generated. You can send those through to me direct if you don't want to bore the list. The TTL is 103 - that means it's odds on that this traffic came from a Windows system. Default TTL is 64 on most of the unix / linux variants (it could be VMS, but there are too many unique sources!). If your logs show other packets with TTL 0<ttl<64 then it's almost certainly scanning activity not malware, since it's cross platform. rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky German. SANS Dshield is dead right now, but normally I would also check there, to see if what you're seeing is backed up by a local / global increase. You could also submit it to the handlers there, they do good Sherlock Holmes work, if they've got time. If this is what it looks like (perps scanning for non-standard backdoors) then it would be good to investigate further. Then again it could just be nothing, who knows. Cheers, ben
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of SiegeX Sent: Monday, November 15, 2004 3:05 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Odd scan to port 36867 Hi guys, I recently decided to write a simple bash script to go through all my iptables logs and see which ports were being hit the most. Note that I only logged NEW connections to ports that arnt open on my computer. Here are the top 10 results 495 36867
[...]
Below is a sample from my iptables logs so you can see what Im parsing. Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT= MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00 SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00 TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867 SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0 Just to make sure that this port is not being hit by one or two differnt guys, I parsed my logs to see how many unique ip's were hitting port 36867 and I came up with 173 unique IP's.
[...]
Ive yet to cross reference the 173 unique IP's hitting port 36867 to Maxmind's database, but I have a strong feeling that they are comming from Germany. I hope you guys have a better clue whats going on than I do. Thanks. -Sean
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Odd scan to port 36867 SiegeX (Nov 15)
- RE: Odd scan to port 36867 Ben Nagy (Nov 16)
- Re: Odd scan to port 36867 JERRY MURTLAND (Nov 27)
- RE: Odd scan to port 36867 Ben Nagy (Nov 16)